08-01-2021 01:36 PM - edited 08-01-2021 01:46 PM
Hello,
I've recently noticed that when packet tracing Outbound traffic, Firepower appears to loop over certain phases that have already been completed, causing a much larger number of steps than expected. I'd like to know if this is a normal occurrence or if I've misconfigured something on my end.
For context, FTD Version: 7.0.0 Build 94, FMC Version: 7.0.0 Build 94.
Here is a packet-tracer output for pinging 1.1.1.1 from an internal client.
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop [WAN-GW] using egress ifc Outside(vrfid:0)
Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.x.x using egress ifc Inside(vrfid:0)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 9
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232
Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 13
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 14
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 15
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232
Phase: 16
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 17
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 18
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 19
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 20
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232
Phase: 21
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 22
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 23
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc Inside 192.168.x.x 255.255.255.0 ifc Outside any rule-id 268434435
access-list CSM_FW_ACL_ remark rule-id 268434435: ACCESS POLICY: Site A - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434435: L7 RULE: [A] Internet Access
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 24
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 25
Type: NAT
Subtype:
Result: ALLOW
Config:
object network 192.168.x.x-24
nat (Inside,Outside) dynamic interface dns
Additional Information:
Dynamic translate 192.168.x.x/0 to 76.187.x.x/6232
Phase: 26
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 27
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 28
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Phase: 29
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Phase: 30
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 31
Type: QOS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 32
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 33
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 34
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1339165, packet dispatched to next module
Phase: 35
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 36
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
00:00:00:00:00:00 -> XX:XX:XX:XX:XX:XX 0800
192.168.x.x:0 -> 1.1.1.1:0 proto 1 AS=0 ID=1 GR=1-1
Packet 3776304: ICMP, 08/01-20:17:04.124291, Type: 8 Code: 0
Session: new snort session
AppID: service: ICMP(3501), client: (0), payload: (0), misc: (0)
Firewall: allow rule, id 268434435, allow
Policies: Network 0, Inspection 0, Detection 4
Verdict: pass
Snort Verdict: (pass-packet) allow this packet
Phase: 37
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop [WAN-GW] using egress ifc Outside(vrfid:0)
Phase: 38
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop [WAN-GW] on interface Outside
Adjacency :Active
MAC address XXXX.XXXX.XXXX hits 0 reference 170
Result:
input-interface: Inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: Outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Any help would be greatly appreciated!
08-01-2021 01:45 PM
Quick Update: I forgot to mention this occurs for real traffic AND packet-tracer traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide